How to read a DMARC aggregate (RUA) report — the XML explained

You started receiving DMARC aggregate reports — gzipped XML attachments from Google, Microsoft, Yahoo and others — and the raw XML is unreadable.

Check your domain first — 10 seconds, free, no signup.
See your DMARC policy, SPF lookup count and every issue explained in plain English.
Run the free check →

What this means

A DMARC aggregate report is an XML document with three parts: <report_metadata> (who generated it and the report ID), <policy_published> (the DMARC policy that receiver saw for your domain), and one <record> per source IP — each with a message count and the SPF, DKIM and DMARC results for that source. The <date_range> begin/end are Unix epoch timestamps you have to convert to real dates. The schema is defined in the DMARC standard: aggregate reporting is now its own document, RFC 9990 (it was previously part of RFC 7489 §7.2). Source: RFC 9990 — DMARC Aggregate Reporting (RFC Editor) · verified 2026-07-18.

What to do about it

Step 1. Read <policy_published> first — it shows the p=, sp= and alignment the receiver applied, which tells you what they think your policy is.
Step 2. For each <record>, match the source_ip to a sending service and check whether SPF and DKIM passed and aligned — a source that fails both is either a broken legitimate sender or a spoofer.
Step 3. Convert the <date_range> epoch numbers to dates so you know which week the data covers.
Step 4. Rather than parse every file by hand, run the free check below — or connect your domain so each source IP is named in plain English instead of left as a bare address.

Frequently asked

Is a DMARC-policy bounce my fault or the recipient's?

It's about your domain's authentication, not the recipient's mailbox. A “5.7.1 rejected due to DMARC policy” message means your own From domain failed DMARC and publishes an enforcing policy — so the fix is on your DNS and sending configuration, not the recipient's side.

Do I need special software to read DMARC aggregate reports?

You can open one by hand — they're just XML — but they're designed to be machine-read. A monitoring tool that names each source IP in plain English and tracks pass rates over time is what makes them useful week to week, instead of decoding gzip XML every day.

How long after a fix before a bounce or report clears?

DNS changes propagate within a few hours (up to 48h). For anything you diagnose from aggregate reports, new reports arrive daily, so allow a day or two to confirm a source now passes and aligns.

Don't want to babysit DNS records?
DMARCKeeper monitors your reports, names every sender, and walks you to full p=reject protection.
Start free monitoring →